Heroku detailed Investigation report on GitHub OAuth Token Theft
Salesforce platform-as-a-service provider Heroku has revealed that the April hack, which saw OAuth tokens for Microsoft GitHub integration downloaded by a threat actor, went further than initially thought, with customer passwords exfiltrated as well.
The threat actor began enumerating metadata about customer repositories with the downloaded OAuth tokens on April 8, 2022. On the very next day, the attacker downloaded a subset of the Heroku private GitHub repositories from GitHub, containing some Heroku source code.
GitHub notified Salesforce – Heroku of the suspicious activity on April 13, one day after initially identifying it. On April 16, Heroku revoked all GitHub integration OAuth tokens, which essentially prevents customers from using the Heroku Dashboard or automation for the deployment of apps from GitHub
Heroku this week forced resets for user passwords, and disabled application programming interface (API) access tokens, but at the time did not say why. The password reset was thought to be brought on by the early April hack, and Heroku has now said this is the case.
Our investigation also revealed that the same compromised token was leveraged to gain access to a database and exfiltrate the hashed and salted passwords for customers’ user accounts. For this reason, Salesforce is ensuring all Heroku user passwords are reset, and potentially affected credentials are refreshed. We have rotated internal Heroku credentials and put additional detections in place.Heroku Statement